from the ill-communication dept

By now the President's unwillingness to adhere to anything close to reasonable security when using his mobile phones has been made pretty clear. Whereas the Defense Information Systems Agency (DISA) and the NSA usually work in concert providing state leaders with "hardened" devices that are heavily encrypted, routinely updated, and frequently swapped out, Trump has refused to use these more secure DMCC-S devices (effectively a Samsung Galaxy S4 device utilizing Samsung's Knox security architecture), because it might infringe on his ability to Tweet.

Past reports have suggested that security advisors have at least convinced him to use two iPhones: one locked down specifically for Twitter, and the other specifically tasked with making phone calls. But as a new report this week from the New York Times makes clear, Trump's lax phone security is being pretty routinely taken advatage of by foreign intelligence agencies:

"When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing, American intelligence reports indicate that Chinese spies are often listening — and putting to use invaluable insights into how to best work the president and affect administration policy, current and former American officials said."

Senators sent a letter to Trump back in April expressing concern at his abysmal operational security, but that message still hasn't gotten through to the aggressively cocksure President, according to the Times report:

"Mr. Trump’s aides have repeatedly warned him that his cellphone calls are not secure, and they have told him that Russian spies are routinely eavesdropping on the calls, as well. But aides say the voluble president, who has been pressured into using his secure White House landline more often these days, has still refused to give up his iPhones. White House officials say they can only hope he refrains from discussing classified information when he is on them."

The Times quotes numerous anonymous experts who say their claims come from sources in these foreign governments. And while the Times story doesn't get technical about how foreign intelligence agencies are tapping into the calls, many surmise they're exploiting, among other things, the cellular network Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US) flaw that the industry has been refusing to fix for the better part of the last decade. The flaw can be exploited to track user location, dodge encryption, and even record private conversations if strict countermeasures aren't adhered to.

That said, security experts were quick to point out there's an ocean of ways that foreign intelligence agencies could be intercepting Trump's calls in transit via passive decryption as the calls travel between the phone and cellular tower:

4) Passive decryption.

The Russian and Chinese embassies are likely sucking up all GSM/LTE bands in the district. Modern iPhones would do most voice as VoLTE, meaning this would require a passive attack against handshake or KASUMI cipher. Seems most likely.

Of course intel agencies could also be targeting his most-commonly called individuals on the other end. As is his way, the President was quick to issue a Tweet insisting the entire story was false...while using his iPhone:

The so-called experts on Trump over at the New York Times wrote a long and boring article on my cellphone usage that is so incorrect I do not have time here to correct it. I only use Government Phones, and have only one seldom used government cell phone. Story is soooo wrong!

To let Trump's ego dictate his security practices is obviously still problematic, potentially even to the point of putting lives at risk. It's also incredibly ironic given all the time Trump spends complaining about potential Chinese spying habits, including the Trump-driven blacklist of all Huawei products in the United States. It's a blackballing that's not based on much in the way of evidence, but is certainly appreciated in a protectionist capacity by the U.S. networking and cell phone vendors who didn't want to have to compete with cheaper Chinese gear. Huawei, for its part, was quick to make light of the report:

China spokeswomen Hua Chunying on the NYT Trump iPhone tapping story: "If they are very worried about iPhones being tapped, they can use Huawei." pic.twitter.com/lZ48beuA7e

Trump's phone habits continues to be a giant middle finger toward transparency (like adhering to the Presidential Records Act) and fundamental opsec, but neither Trump nor the adults tasked with his daily supervision appear to much care.

“Natalie Mayflower Sours Edwards, a senior-level FinCEN employee, betrayed her position of trust by repeatedly disclosing highly sensitive information contained in Suspicious Activity Reports (SARs) to an individual not authorized to receive them,” Berman said in a statement Wednesday announcing the charges.

The leaked SARs dealt with alleged money laundering by Russian diplomats, as well as transactions possibly related to the purchase of hacked Hillary Clinton emails by a GOP figure. These were supposedly the basis for nine Buzzfeed articles over the last year, with the most recent article cited in the complaint appearing only a few days ago (October 15).

The complaint [PDF] itself is an interesting read. It makes it clear investigators don't necessarily need to see the content of a person's messages to draw inferences about their behavior.

18. Based upon my training, experience, my conversations with other law enforcement agents with training and experience in cyber technology, and my conversations with law enforcement agents who have reviewed records received in response to a judicially-authorized pen register and trap and trace order for the EDWARDS Cellphone (the "EDWARDS Pen"), I have learned, among other things, that:

a.The EDWARDS Cellphone utilized a mobile messaging service that utilizes end-to-end encryption (the "Encrypted Application"), that is, a method of secure communication that prevents third-parties from accessing data, including the companies that host the end-to-end services, and law enforcement.

b. On or about August 1, 2018, within approximately six hours of the EDWARDS Pen becoming operative--and the day after the July 2018 Article was published--the EDWARDS Cellphone exchanged approximately 70 messages via the Encrypted Application with the Reporter-1 Cellphone during an approximately 20-minute time span between 12:33 a.m. and 12:54 a.m.

c.Between on or about July 31, 2018 and August 2, 2018, the EDWARDS Cellphone and the personal cellphone of CC-1 exchanged dozens of messages via the Encrypted Application.

d. On or about August 2, 2018, approximately one week prior to the publication of the First August 2018 Article, the EDWARDS Cellphone exchanged approximately 541 messages with the Reporter-1 Cellphone via the Encrypted Application.

e. On or about August 10, 2018, the day of the publication of the First August 2018 Article, the EDWARDS Cellphone and the Reporter-1 Cellphone exchanged approximately 11 messages via the Encrypted Application.

It doesn't appear investigators were able to access the content of the messages until they examined Edwards' phone.

Throughout the course of 2018, EDWARDS engaged in hundreds of electronic communications with Reporter-1, many via an encrypted application. A review to date, pursuant to a judicially-authorized search warrant executed today, of EDWARDS's personal cellphone has revealed that that cellphone contains the substance of many of these communications, including, as described in greater detail below, communications in which EDWARDS transmitted or described SARs or other protected information to Reporter-1.

So much for going dark. Presumably the information obtained with the pen register order was enough to secure a warrant to search a cellphone and flash drive owned by Edwards. "Reporter-1" is likely Jason Leopold, who wrote or co-wrote every article named in the DOJ complaint. This also means the DOJ likely has a whole bunch of conversations between a journalist and his source, although obtaining them from the source makes it far less of a First Amendment issue.

The other interesting part of the complaint is this: Edwards viewed her leaks as whistleblowing and had pursued a whistleblower complaint in the past.

During the interview described herein, EDWARDS told the Interviewing Agents, in sum and substance, that she is a "whistleblower" who provided the SARs to Reporter-1 for "record keeping." Based on my participation in this investigation and my conversations with other law enforcement agents, I am aware that, prior to the SARs Disclosures, EDWARDS had previously filed a whistleblower complaint unrelated to the SARs Disclosures, and that EDWARDS had also reached out to congressional staffers regarding, among other things, her unrelated whistleblower complaint.

These leaked SARS may have been one of the "other things" she spoke to staffers about. It appears she felt these SARs would just be buried by the administration. Or she felt these were of enough public interest they should be publicly-disclosed. Or it just may be the excuse she gave investigators during the interview.

from the public-servants-still-screwing-the-people-they-serve dept

One of those things I thought would have gone out of vogue is apparently still in style in New Hampshire. The number of bullshit wiretap prosecutions brought against people recording cops has dropped precipitously over the past half-decade as courts have found use of wiretap statutes in this fashion unconstitutional, but over in the Live Free or Die state, the statute lives freely and dies even harder.

Back in 2015, prosecutors brought wiretapping charges against Alfredo Valentin. Valentin had returned home one day to find a SWAT team in the middle of a no-knock raid. Apparently, Valentin's roommate was also a heroin dealer. Valentin had been called home by a neighbor who noticed his dog wandering the street, apparently set free (and still alive!) by the SWAT team's home-breaching efforts. Valentin chose to record the officers as they proceeded with the raid despite officers telling him (wrongly) that he couldn't.

This became a wiretapping charge because the cops couldn't handle a citizen ignoring a direct order. They claimed Valentin "hid" the phone by placing it down by his leg while he kept recording. Apparently, the officers could still see the phone, so claims of it being a "secret" recording were per se moronic. But this was what the flimsy, highly-questionable charges rested on: a supposedly surreptitious recording officers in attendance knew was happening.

The settlement, which was reached in late September, was announced Wednesday by the ACLU-New Hampshire.

Lehmann said Valentin received about two-thirds of the settlement, and he will use it to get his life back together. He was arrested in March 2015. The previous year, Free State activists from New Hampshire prevailed when the U.S. First Circuit Court of Appeals ruled that any person has a First Amendment right to video or audio-record police officers engaged in official duties in public places.

Gilles Bissonnette, the ACLU-NH's legal director and co-counsel, said the settlement recognizes that recordings of police are a critical check on police power.

"The police need to understand that individuals who are recording their work without interference have a constitutional right to do so, and it is not cause for their arrest," Bissonnette said.

The First Amendment right exists with or without a police officer giving consent to the recording, the ACLU said.

The $275,000 settlement will hopefully help Valentin piece back together a life law enforcement officers vindictively destroyed. Following his arrest, Valentin lost his job of eleven years and has spent the past two years trying -- and failing -- to restart his career. Having a felony arrest on his record doesn't help, even if charges were ultimately dropped.

New Hampshire's wiretapping statute still stands. The state requires two-party consent for recordings. But, as has been pointed out by courts previously, the state's statute does not apply to recording public servants like police officers performing their duties in public. The state's Attorney General made this explicitly clear in the wake of the First Circuit Appeals Court's Glik decision. A memo [PDF] clarifying the right to record police was sent to law enforcement agencies in 2012, so the officers here -- and the prosecutor who chose to continue pressing charges -- had no excuse for their actions. In the process, they cost an innocent person his job and derailed his life for the better part of two years. And in the end, they'll have the bill covered by New Hampshire taxpayers and a signed agreement saying they did nothing wrong.

from the webwatching-your-way-to-an-easier-divorce! dept

The Sixth Circuit Court of Appeals has decided a man whose communications were snagged by commercial spyware can sue the software's maker for violating federal wiretap law.

The plaintiff, Javier Luis, became involved in an online relationship with an unhappily married woman. Her husband, Joseph Zang, installed Awareness Technologies' "WebWatcher" on his wife's computer in order to keep tabs on her online communications. After discovering his communications had been intercepted, Luis sued the software's maker (along with the husband, who has already settled with Luis and is no longer listed as a defendant).

The Appeals Court doesn't form an opinion on the strength of Luis's claims -- only noting that they're strong enough to survive dismissal. Awareness Software will be able to more fully address the allegations in the lower court on remand, but for now, the Appeals Court finds [PDF] the software's "contemporaneous interception" of electronic communications to be a potential violation of the Wiretap Act.

Two allegations in the complaint support this inference. First, Luis alleges that the communications at issue “were not originally stored on the computer’s hard drive.” The communications were instead acquired by Awareness “as [they were] being written and communicated between senders and recipients.” This allegation directly supports the proposition that the communications were still “in flight” for the purposes of 18 U.S.C. § 2511.

[...]

Second, Luis alleges that “WebWatcher immediately and instantaneously rout[e]s the intercepted communications to their [i.e., Awareness’s] servers located in California.” (Emphasis in original.) This allegation directly supports an inference of contemporaneous interception because, if WebWatcher does in fact “immediately and instantaneously” copy and send communications “as [they are] being written,” then the acquisition of the communications likely occurs before the communications have come to rest in electronic storage.

Somewhat illogically, Awareness suggested that the supporting evidence provided by Luis could have referred to a different product (not made by Awareness) that has an identical name.

Awareness is of course correct that some possibility exists that the marketing materials might refer to another device carrying the trademark “WebWatcher” that is unaffiliated with Awareness’s own WebWatcher. This argument, however, is far-fetched at best, and the more “plausible inference,” see id. at 682, is that the materials do in fact apply to Awareness’s WebWatcher that Joseph allegedly used.

Slightly more logically, it suggested that it cannot be held liable under the Wiretap Act because it's the end user that actually violates the Act when they install the software and put it to use. This is what the lower court found in its decision, based on a Report and Recommendation (R & R) put together by a magistrate judge.

With respect to the claimed violation of 18 U.S.C. § 2511, the R&R concluded that Awareness itself did not “intercept” Luis’s communications because it was Joseph [Zang]—not Awareness—that installed the WebWatcher program on the computer used by Catherine. And with respect to the claimed violation of 18 U.S.C. § 2512, the R&R concluded that Awareness could not be held liable simply for manufacturing a product that others—such as Joseph—used to violate the Wiretap Act.

Awareness also argued that WebWatcher's interception of communications wasn't "contemporaneous" and therefore isn't a violation of the Wiretap Act. Instead, it claimed it grabbed communications in "near real-time" and stored a copy on its servers for access by users. The Appeals Court notes that Awareness's own promotional efforts seem to tell a different story.

The marketing materials attached to Luis’s complaint support this conclusion. As Luis notes, the materials state that WebWatcher lets its users review a person’s electronic communications “in near real-time, even while the person is still using the computer.” The materials further note that any deviation from real-time monitoring results not from delays regarding when the communications are acquired, but from variations in “the Internet connection speed of the computer being monitored.”

This near real-time monitoring is significant. If a WebWatcher user can in fact review another person’s communications in near real time, then WebWatcher must be acquiring the communications and transferring them to Awareness’s servers as soon as the communications are sent. The program, in other words, does not wait for the communications to be stored; instead, the program as described captures and reroutes the communications so that a WebWatcher user can review the communications at nearly the same time as they are being transmitted.

In addition, the marketing materials state that “[e]ven if a document is never even saved, WebWatcher still records it.” This feature indicates that WebWatcher does not wait for electronic communications to be saved in a computer’s electronic storage. Rather, the product records the communications as they are being sent, without regard for whether a copy is ever placed in the storage of the affected computer. This aspect of WebWacher’s operations thus implies that the alleged acquisition of Luis’s communications indeed occurred while the communications were still “in flight.”

The court also notes that Awareness's own marketing materials suggest there are few wholly-legal uses for its WebWatcher software. Given its function, most end user deployment is almost certain to violate federal or state wiretap laws. (This explains the following disclaimer on the WebWatcher site: "Awareness Technologies Terms of Use and End User Licensing Agreement require that you only install its software on computers that you own or have permission to monitor and that you inform all users of those computers that they are being monitored.") Because of this, the court finds that Awareness cannot dodge civil liability simply because it performs no interception of communications until a purchaser installs and deploys its software.

[W]e today hold that a defendant such as Awareness—which allegedly violates § 2512(1)(b) by manufacturing, marketing, and selling a violative device—is subject to a private suit under § 2520 only when that defendant also plays an active role in the use of the relevant device to intercept, disclose, or intentionally use a plaintiff’s electronic communications.

So even though Awareness itself did not initiate the specific action that “intercepted, disclosed, or intentionally used” Luis’s communications in violation of the Wiretap Act, it is alleged to have actively manufactured, marketed, sold, and operated the device that was used to do so. This is enough to establish that Awareness was “engaged in” a violation of the Wiretap Act in a way that defendants such as those in Treworgy and Amato—who simply possessed wiretapping devices—were not.

The dissenting opinion, however, points out that allowing the plaintiff to pursue Awareness under the Wiretap Act not only shifts some responsibility off the shoulders of the person who initiated the interception (the aggrieved husband) but also more than "liberally construes" the content of Javier Luis's pro se filing.

The majority accepts Luis’s argument on appeal that the complaint directly implicates Awareness in paragraph 77. But this reading is much more than just charitable—it grasps at straws. In describing how WebWatcher operates, Paragraph 77 uses only a possessive pronoun that lacks any antecedent: “WebWatcher immediately and instantaneously routs the intercepted communications to their servers located in California to be stored for their subscribers to later retrieve at their leisure.” Awareness is neither named nor the subject of the action. This paragraph, located amidst Luis’s allegations against the other defendants, does not give rise to the plausible inference that Awareness intentionally intercepted Luis’s communications.

[...]

It does not put Awareness on notice that it—the manufacturer and seller— could be liable for anonymous customer Joseph Zang’s misuse of the WebWatcher. Luis’s novel theory of liability does not appear even to have been tried, much less to have been successful, in any previous case. Neither Awareness nor the district court should have been expected to divine it from Luis’s allegations against the other defendants. I would affirm the district court’s dismissal of Luis’s § 2511 claim against Awareness. I would affirm the dismissal of Luis’s state-law claims for the same reason.

That's the downside of this reversal by the Appeals Court: manufacturers and developers will now face an increased risk of civil litigation if their products could possibly be used to violate laws. This negative side effect is diminished somewhat by Awareness's participation in the interception -- the storage of communications on its servers -- but it's still the sort of thing that could encourage speculative litigation aimed at the target with the deepest pockets, rather than the entity that actually broke the law.

from the Drug-War-conquers-all dept

Despite a 21 percent increase in wiretaps authorized by state courts overall between 2014 and 2015, the number of cases where law enforcement encountered encryption decreased from 22 to seven.

And out of 1,403 wiretaps authorized by federal judges, only six encountered encrypted communication. Two of those were decrypted by law enforcement, leaving only four that could not be deciphered.

[...]

That means that in 2015, out of 4,148 total wiretaps, only 11 encountered a form of encryption law enforcement could not break. That’s about one quarter of one percent.

Not so fast. The lack of issues in this report doesn't necessarily mean law enforcement agencies aren't encountering encryption. It simply means they're not running into it while utilizing wiretaps. There's a lot this report doesn't cover and there are many instances where the chance of running into encryption that renders wiretaps useless is simply being avoided. Why do the paperwork if there's nothing to be acquired?

After this story was published, an FBI spokesperson echoed the arguments of Comey and Yates, saying the Wiretap Report numbers ”should not be surprising: agents now recognize when they are likely to encounter encryption and do not waste their time on fruitless endeavors.”

The FBI pointed to other reports more closely aligned with Comey's anti-encryption proselytizing.

The spokesperson added that ”a better representation” of the going dark problem is the number of devices that the Computer Analysis Response Team (CART) and Regional Computer Forensic Laboratory (RCFL), the FBI teams that help state and local police with technical requests, have been unable to unlock due to being encrypted.

”Over the 6-month period from October 1, 2015 – March 31, 2016, approximately 4,000 devices were submitted for digital forensic analysis. About 500 of those could not be unlocked,” FBI spokesperson Christopher Allen said.

Apples and oranges. But that's to be expected. One report deals with wiretap warrants obtained under one legal authority. The other deals with search warrants obtained under another. Wiretaps will rarely run into encryption because there are a wealth of options available to obtain communications that don't involve intercepting them... or more closely reflect the current reality of communications -- which isn't tied to plain old telephone service.

Whatever the government is doing with these other options can't easily be examined by the general public because there are no reporting requirements tied to these, unlike wiretap warrants. So, the number of times where encrypted communications (not contained in locked phones) are holding up law enforcement cannot be nailed down with any certainty. The DOJ could collect and disseminate this data, but it would certainly prefer to keep its reporting requirements to a minimum, even if this data would back up Comey's encryption histrionics.

What hasn't changed, however, is what wiretaps are used for: drugs. 3,367 or 4,148 issued in 2015 were for narcotics investigations. And for those of you who have followed the explosion of possibly illegal wiretaps originating from a single county courthouse in California, it's no surprise the state issuing the most federal wiretap orders is that particular coastal "drug corridor."

And, if law enforcement only ran into encryption in ¼ of 1% of wiretap orders, it ran into adversarial judges even less: every single one of the 4,148 federal wiretap requests was granted in 2015.

Taking James Comey at his word that encryption is a huge problem, it would appear the DOJ would rather withhold any data that supports this assertion than develop a precedent it doesn't like: additional reporting requirements on the ECPA orders, NSLs, and regular old search warrants it uses to obtain digital communications. Almost everything in this report deals with old-fashioned landlines, so its depiction of federal surveillance is woefully incomplete.

from the be-forewarned dept

The Sixth Circuit court of appeals has now made it clear: you have no expectation of privacy in your butt dials. The full ruling makes for some fascinating reading. Apparently a guy named James Huff made what must be one of the most expensive butt dials in history. Huff, who was chairman of the Kenton County Airport Board (in Kenton, Kentucky) which oversees the Cincinnati/Northern Kentucky Airport (CVG), was in Europe on a business trip. At one point, he tried to call Carol Spaw, the executive assistant of the airport's CEO, Candace McGraw, to see if Spaw could schedule a dinner reservation for him and another board member. His call failed, but after another board member with Huff successfully reached Spaw, it appears that Huff's phone, in his pocket, called again and he was -- unknowingly -- successfully connected with Spaw.

At this point, though, Huff was already talking with the other board member, Larry Savage, about possibly replacing Spaw's boss, McGraw. Spaw proceeded to then continue to listen and transcribe notes of what was being said, including recording parts of the call, which lasted for approximately an hour and a half (yes, from Italy to Kentucky, so... the price of the call alone was probably quite a lot, not counting the eventual legal costs). As for why she did this:

Spaw claims that she
believed that she heard James Huff and Savage engaged in a discussion to discriminate
unlawfully against McGraw and felt that it was her responsibility to record the conversation and
report it through appropriate channels.

Eventually Spaw typed up the notes she had taken, hired a company to enhance the audio of the recording she made and shared both with other board members. Huff was... not happy. He (and his wife) sued Spaw, claiming illegal wiretapping under 18 USC 2511. The lower court tossed out this claim, and the Huffs appealed.

Here, the court examines whether or not Huff had a reasonable expectation of privacy in his conversation, and notes that he knew there was such a risk and had, in fact, made such errant calls in the past. Thus, he had no reasonable expectation of privacy, since it was his own negligence that resulted in the butt dial:

At his deposition, James Huff admitted that he was aware of the risk of making
inadvertent pocket-dial calls and had previously made such calls on his cellphone. A number of
simple and well-known measures can prevent pocket-dials from occurring. These include
locking the phone, setting up a passcode, and using one of many downloadable applications that
prevent pocket-dials calls.... James Huff did not employ any of these measures. He is no different from the person
who exposes in-home activities by leaving drapes open or a webcam on and therefore has not
exhibited an expectation of privacy.

The court rejects the claim, made by the Huffs, that such a ruling would mean no one had any expectation of privacy in their phone calls:

The Huffs warn that, if we do not recognize James Huff’s reasonable expectation of
privacy in this case, we would deprive all cellphone-carrying Americans of their reasonable
expectations of privacy in their conversations.... We disagree. Not
recognizing James Huff’s expectation would do no more injury to cellphone users’ privacy
interests than the injury that the plain-view doctrine inflicts upon homeowners with windows or
webcams. A homeowner with an uncovered window or a broadcasting webcam lacks a
reasonable expectation of privacy with respect only to viewers looking through the window that
he neglected to cover or receiving signals from the webcam he left on. He would retain a
reasonable expectation of privacy in his home with respect to other means of observation, for
example thermal-imagery devices.... Similarly, James Huff retained an
expectation of privacy from interception by non-pocket-dial means, such as by a hidden
recording device or by someone covertly causing his cellphone to transmit his statements to an
eavesdropper..... James Huff lacked a reasonable
expectation of privacy in his statements only to the extent that a third-party gained access to
those statements through a pocket-dial call that he placed. In sum, a person who knowingly
operates a device that is capable of inadvertently exposing his conversations to third-party
listeners and fails to take simple precautions to prevent such exposure does not have a reasonable
expectation of privacy with respect to statements that are exposed to an outsider by the
inadvertent operation of that device.

So, the failed lawsuit would then be the second part of why this was likely the most expensive butt dial in history.

Of course, it's not a total loss for the Huffs. As noted earlier, it wasn't just James Huff who sued, but also his wife, Bertha. Apparently part of the overheard conversation was between James and Bertha, and the court is much more receptive to Bertha's "reasonable expectation of privacy" claim. The lower court had said she didn't have a reasonable expectation of privacy, since she knew that her husband's phone might butt dial someone. The appeals court finds that to be a bit more ridiculous.

If Bertha waived her reasonable expectation of privacy from pocketdials
by speaking to a person who she knew to carry a pocket-dial-capable device, she would
also waive her reasonable expectation of privacy from recordings and transmissions by speaking
with anyone carrying a recording-capable or transmission-capable device, i.e., any modern
cellphone. The district court’s holding would logically result in the loss of a reasonable
expectation of privacy in face-to-face conversations where one party is aware that a participant in
the conversation may have a modern cellphone. As nearly every participant in a conversation is
a potential cellphone carrier, such a conclusion would dramatically undermine the protection
that Title III grants to oral communication.

And thus, the court sends it back down to the lower court to determine if Spaw's answering of the phone, listening to the call she received and taking such notes (and recording part of the call) constituted "intentional use of a device" to intercept Bertha Huff's oral communications. Most of that seems like a stretch -- though the fact that, at one point, she did have someone go get another phone with which to record the call at least raises some questions that make it not so cut and dried.

Either way, the moral of the story: don't butt dial. And, if you do: don't then discuss figuring out a way to fire the boss of the person you butt dialed.

from the everybody-loses dept

As we just got done discussing, AT&T, Verizon and Sprint recently were able to dodge a long-running lawsuit alleging the companies have been dramatically overcharging the government for wiretaps for more than a decade. The lawsuit was filed by former New York Deputy Attorney General John Prather, who spent thirty years in the AG's office (and six years on the Organized Crime Task Force in NY) helping to manage wiretaps and invoices for wiretap provisioning. Prather filed the suit on behalf of the U.S. government, but telco lawyers were able to have the suit dismissed by arguing that Prather couldn't technically sue the telcos under the False Claim Act as a whistleblower, because he filed the original complaint while working for the government.

Now it appears that at least one of the telcos is being focused on for round two, with the news that the government is suing Sprint for overcharging for wiretaps under CALEA. Under CALEA phone companies are allowed to recoup "reasonable expenses," but the lawsuit claims that Sprint overcharged the government to the tune of $21 million, overinflating charges by approximately 58 percent between 2007 and 2010. The Prather case claimed the telcos overcharge for taps in general, but have historically dodged culpability by simply hitting the government with large bills that don't itemize or explain why a wiretap should magically cost $50,000 to $100,000.

Sprint appears to have been specifically nabbed by the Justice Department’s Inspector General because it wasn't clever enough about passing on the costs of modifying its network to adhere to CALEA back to the government, something the law prohibits:

"Despite the FCC’s clear and unambiguous ruling, Sprint knowingly included in its intercept charges the costs of financing modifications to equipment, facilities, and services installed to comply with CALEA. Because Sprint’s invoices for intercept charges did not identify the particular expenses for which it sought reimbursement, federal law enforcement agencies were unable to detect that Sprint was requesting reimbursement of these unallowable costs."

It should be interesting to see if AT&T and Verizon face similar lawsuits down the road, or if their lawyers and accountants were simply better at obscuring overbilling. It's kind of a lose-lose scenario for you and me either way. Not only do we get to be spied on, we likely paid for these wiretaps both on the taxpayer side and on the telco side as the companies passed on both real and imaginary wiretap costs to you.

from the not-so-hard-justice dept

AT&T and Verizon's ultra-close relationship with government surveillance efforts have been profitable in innumerable ways. Obviously being a loyal patriot means you'll have a better chance of grabbing multi-billion dollar military and government communications contracts. Carriers also pass on most of the costs of outfitting their network for easier surveillance (like those live fiber splits AT&T whistleblower Mark Klein exposed) directly to you, the consumer. Lastly as we've discussed more than a few times whenever pricing sheets leak, they make a pretty penny on law enforcement wiretap requests. Maybe a bit too pretty.

Back in 2009, former New York Deputy Attorney General John Prather filed a lawsuit on behalf of the U.S. government, accusing Verizon, AT&T, Sprint and Qwest (now CenturyLink) of overcharging federal, state and city governments for services under CALEA. Prather, who helped lead the NY AG's Organized Crime Task Force from 2002 to 2008 as part of thirty years as a prosecutor, was intimately familiar with wiretap procedure and spent years in charge of invoices for wiretap provisioning. Prather claimed telcos had aggressively been price gouging law enforcement for some time, jacking up prices year over year without any sensible explanation why some wiretaps should cost in some cases $50,000 to $100,000 each.

Prather claims he filed a complaint with the FCC in 2004, who did nothing about it. Prather's lawsuit was dismissed a few months back (pdf) after the court claimed his insights were conjecture in that he didn't provide enough first hand evidence of fraud. That degree of proof was required because, according to telco lawyers, Prather technically couldn't file a whistle blower lawsuit under the False Claim Act and claim he himself was the "original source of the information" -- because he filed the original complaint while working for the government.

As a tiny win however, the court this week stated that phone company lawyers couldn't prove that Prather was filing the lawsuit simply to harass the phone companies, and as such they're be required to at least pay their own legal costs related to the case:

"Furthermore, the phone companies "fail to show that Relator's action was 'clearly vexatious' or 'brought primarily for purposes of harassment' as there is no evidence that relator pursued this litigation merely to annoy or embarrass defendants," the ruling states. "Conversely, Relator asserts that he brought this action 'in an attempt to bring to light the fraud of the telecommunications carriers, and to help insure that the Law Enforcement Agencies would not be hindered in their investigation of crime.'"

Understand that Verizon and AT&T have a long and proud history of taking all manner of subsidies, tax breaks or other incentives for services never delivered, and when they do deliver, over-charging like any good unaccountable government contractor. The combination of excellent lawyers, an apathetic government afraid of taking on larger companies and the fact that phone companies are simply damn good at it -- has historically allowed them to get away with pretty much whatever they've wanted. Actually requiring the phone companies to pay their own lawyers may not not sound like much, but when AT&T and Verizon lawyers are involved, it's dramatically more than you'll usually see in cases like this.

from the as-expected dept

It appears that some of the details that resulted in Lavabit shutting down have been unsealed, and Kevin Poulsen, over at Wired, has the details and it's pretty much what most people suspected. The feds got a court order, demanding that Lavabit effectively hand over the keys to everyone's emails. Lavabit's Ladar Levison refused, and he was then threatened with $5,000/day fines, contempt of court charges and possibly more.

Initially, Lavabit was sent a pen register order letting the government know every time Ed Snowden logged in (Snowden's name is redacted, but it's clear that this is about him). Lavabit said that it wouldn't defeat its own encryption system, and the court quickly ordered Lavabit to comply:

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys.”

Once again, Levison refused to reveal the SSL keys, leading to the $5,000 per day fine imposed by Magistrate Judge Theresa Buchanan. The fines began August 6th. Lavabit shut down on August 8th.

Again, something along those lines was what many people had assumed happened, but now it's been confirmed. Kudos to Levison for standing his ground on this. I know that people in our comments like to insist that every company should act this way, but it's not nearly as easy when its your life's work on the line, and you have the entire US government (including huge monetary fines and the possibility of jail time) coming down on you.

from the no-that-won't-be-absued-at-all dept

We've talked a lot about how the Justice Department (DOJ), mainly via the FBI, has been pushing for years to change the laws in order to require tech companies to build wiretapping backdoors into any and every form of communication online. As we've explained over and over again, this is a really silly proposal, that won't make us any safer. Instead, it's likely to make us a lot less secure, because those backdoors will be abused, not just by law enforcement, but by those with malicious intent who will work hard to find the backdoors and make use of them.

The latest proposal on this front is equally ridiculous. While it wouldn't dictate specific wiretapping/backdoor standards, it would require that companies make some sort of backdoor available or face rapidly escalating fines.

Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.

This would be a disaster for innovative companies and for public security and privacy as well. The DOJ really needs to learn that not everything must be tappable. As it stands now, if I just sit on a park bench talking to someone, the DOJ can't tap it. Sometimes law enforcement doesn't get the right to hear everything I have to say. That's the nature of freedom and privacy protection that we're supposed to believe in. I'm sure with the news that chat apps are now more popular than SMS worldwide, law enforcement folks think that they need to "do something" to make sure they can spy on those conversations, but that's not true. Yes, it may make their job harder at times, but in a free country, the focus should be on protecting the freedom of the people, not decimating it to make the job of law enforcement easier. Those who commit crimes leave other clues beyond their communications online. Tapping such communications will lead to a massive security risk and huge expense for many innovative companies (likely slowing down the pace of innovation in that space). Is that worth it just so the DOJ can spy on what you have to say? That seems doubtful.